Difference between revisions of "DrupalCon2012 notes"

From Earth Science Information Partners (ESIP)
(Created page with "DrupalCON Denver 2012 – Notes by Ajinkya Kulkarni Keynote (3/20) by Dries Buytaert : Winning the hearts and minds through innovation · Drupal 7 grew 2.5 times fast...")
 
esip>User68
Line 5: Line 5:
 
Keynote (3/20) by Dries Buytaert : Winning the hearts and minds through innovation
 
Keynote (3/20) by Dries Buytaert : Winning the hearts and minds through innovation
 
   
 
   
·      Drupal 7 grew 2.5 times faster than Drupal 6 (counted against first 10,000 installations)
+
* Drupal 7 grew 2.5 times faster than Drupal 6 (counted against first 10,000 installations)
 
+
* Drupal weaknesses:
·      Drupal weaknesses:
+
* Rudimentary authoring experience
 
+
* Aging web development framework
·      Rudimentary authoring experience
+
* Small Drupal talent pool
 
+
* Not mobile friendly
·      Aging web development framework
+
* Opportunities for Drupal:
 
+
* 1.5 million Drupal sites
·      Small Drupal talent pool
+
* 6.7% of all CMS sites use Drupal
 
+
* 30% of all sites are CMS
·      Not mobile friendly
+
* 25x growth over next 5 year
 
+
* Drupal 8 : Embraces Symfony 2, Restful web services, HTML5 responsive design
·      Opportunities for Drupal:
+
* Symfony 2: Set of reusable PHP component, robust, well tested, healthy welcoming community
 
 
·      1.5 million Drupal sites
 
 
 
·      6.7% of all CMS sites use Drupal
 
 
 
·      30% of all sites are CMS
 
 
 
·      25x growth over next 5 year
 
 
 
·      Drupal 8 : Embraces Symfony 2, Restful web services, HTML5 responsive design
 
 
 
·      Symfony 2: Set of reusable PHP component, robust, well tested, healthy welcoming community
 
 
  
 
Keynote (3/21) by Mitchell Baker : Collaborative Development, the "Maker" Ethic and Internet Freedom
 
Keynote (3/21) by Mitchell Baker : Collaborative Development, the "Maker" Ethic and Internet Freedom
 
   
 
   
·      Importance of open building blocks
+
* Importance of open building blocks
 
+
* Ability to create
·      Ability to create
+
* Ability to participate
 
+
* Precursor to Internet freedom
·      Ability to participate
+
* Mozilla’s mission
 
+
* Consumer products (Firefox, marketplace, open web devices)
·      Precursor to Internet freedom
+
* Web Maker (journalism, films, learners )
 +
* Web building blocks: HTML/CSS, JSàMobileàVideoàIdentityàSocial àOpen WebAppsàWebMakes
 +
* New technologies from Mozilla
 +
* Boot to Gecko http://www.mozilla.org/en-US/b2g/ in partnership with Telefónica
 +
* HTML5 Media Framework http://popcornjs.org/ ,Drupal Module: https://github.com/douglasmiller/drupal-popcorn, Demo: http://webmademovies.etherworks.ca/popcorndemo/
 +
* Single Sign On :http://www.mozilla.org/en-US/persona/
  
·      Mozilla’s mission
 
 
·      Consumer products (Firefox, marketplace, open web devices)
 
 
·      Web Maker (journalism, films, learners )
 
 
·      Web building blocks: HTML/CSS, JSàMobileàVideoàIdentityàSocial àOpen WebAppsàWebMakes
 
 
·      New technologies from Mozilla
 
 
·      Boot to Gecko http://www.mozilla.org/en-US/b2g/ in partnership with Telefónica
 
 
·      HTML5 Media Framework http://popcornjs.org/ ,Drupal Module: https://github.com/douglasmiller/drupal-popcorn, Demo: http://webmademovies.etherworks.ca/popcorndemo/
 
 
·      Single Sign On :http://www.mozilla.org/en-US/persona/
 
 
 
 
 
 
 
Keynote (3/22) by Luke Wroblewski :  Mobile First
 
Keynote (3/22) by Luke Wroblewski :  Mobile First
 
   
 
   
·      Web products should be designed for mobile first
+
* Web products should be designed for mobile first
 
+
* Designing the mobile app first forces us to strip down to essentials
·      Designing the mobile app first forces us to strip down to essentials
+
* 371K babies born per day , 1.5 million mobile devices activated per day
 
+
* 6 billion mobile connections, 12 billion in 2020
·      371K babies born per day , 1.5 million mobile devices activated per day
+
* $131 M PayPal mobile payments processed in 2009, $4B in 2011
 
+
* Twitter 55% mobile users
·      6 billion mobile connections, 12 billion in 2020
+
* Pandora 70% mobile users
 
+
* Yelp 85% searches on mobile
·      $131 M PayPal mobile payments processed in 2009, $4B in 2011
+
* Facebook 50% mobile web traffic
 
+
* Reduce request and file size
·      Twitter 55% mobile users
+
* Take advantage of HTML5
 
+
* Design for speed: adaptive pre-loading
·      Pandora 70% mobile users
 
 
 
·      Yelp 85% searches on mobile
 
 
 
·      Facebook 50% mobile web traffic
 
 
 
·      Reduce request and file size
 
 
 
·      Take advantage of HTML5
 
 
 
·      Design for speed: adaptive pre-loading
 
 
   
 
   
 
 
 
Session: Tame the Burrito: Understanding the Five Layers of Drupal
 
Session: Tame the Burrito: Understanding the Five Layers of Drupal
 
   
 
   
·      Caching problem: Each module tries to implement its own caching mechanism
+
* Caching problem: Each module tries to implement its own caching mechanism
 
+
* Drupal: 5 layer stack
·      Drupal: 5 layer stack
+
#Web framework (e.g. HTTP Request, Response caching, Database access )
 
+
#Building Blocks (e.g. Nodes, Fields, Views, Regions, Blocks)
1.    Web framework (e.g. HTTP Request, Response caching, Database access )
+
#Building Tools (e.g. Field UI, Views UI, Features, Drush, Admin structure)
 
+
#Distinct Features (e.g. My Dashboard, Photo Gallery, Newsletter, Surveys, Wikis)
2.    Building Blocks (e.g. Nodes, Fields, Views, Regions, Blocks)
+
#Products (e.g. Drupal Garden, OpenPublic, The Grammies)
 
+
* Separate form validation logic from Drupal form validation API so that Drush, SimpleTest or installation profile can use it
3.    Building Tools (e.g. Field UI, Views UI, Features, Drush, Admin structure)
 
 
 
4.    Distinct Features (e.g. My Dashboard, Photo Gallery, Newsletter, Surveys, Wikis)
 
 
 
5.    Products (e.g. Drupal Garden, OpenPublic, The Grammies)
 
 
 
·      Separate form validation logic from Drupal form validation API so that Drush, SimpleTest or installation profile can use it
 
 
 
 
  
 
Session: Native Mobile Application Development on Drupal
 
Session: Native Mobile Application Development on Drupal
+
* Why not native?
·      Why not native?
+
#Titanium supports multiple devices
 +
#Rapid Prototyping
 +
* Why Native?
 +
#Faster Performance
 +
#Manage errors on side of stack
 +
#No waiting on API update
 +
* Development process
 +
#Get idea on paper
 +
#Wireframe  ( Use tools: Briefs or Omnigraffle)
 +
#Design
 +
#Development
  
1.    Titanium supports multiple devices
+
* Mobile Stack:
 
+
**Mobile Apps ßServices ßDrupal
2.    Rapid Prototyping
+
* Tools:
 
+
** Drupal iOS SDK  https://github.com/workhabitinc/drupal-ios-sdk
·      Why Native?
+
**Android Drupal APIs: Dandy                  https://github.com/workhabitinc/dandy
 
+
** Service log http://drupal.org/project/services_log
1.    Faster Performance
+
** Services module: use Oauth 3 legged authentication
 
 
2.    Manage errors on side of stack
 
 
 
3.    No waiting on API update
 
 
 
·      Development process
 
 
 
1.    Get idea on paper
 
 
 
2.    Wireframe  ( Use tools: Briefs or Omnigraffle)
 
 
 
3.    Design
 
 
 
4.    Development
 
 
 
·      Mobile Stack:
 
 
 
Mobile Apps ßServices ßDrupal
 
 
 
·      Tools:
 
 
 
·      Drupal iOS SDK  https://github.com/workhabitinc/drupal-ios-sdk
 
 
 
·      Android Drupal APIs: Dandy                  https://github.com/workhabitinc/dandy
 
 
 
·      Service log http://drupal.org/project/services_log
 
 
 
·      Services module: use Oauth 3 legged authentication
 
 
  
 
Session: Science on Drupal
 
Session: Science on Drupal
+
* Drupal uses in science
·      Drupal uses in science
+
* Libraries
 
+
* OpenScholar
·      Libraries
+
* Social science
 
+
* Drupal test portal driven by VIVO . VIVO is a simple CMS ,uses RDF and  OWL , available as VM
·      OpenScholar
+
* Amazon Mechanical Turk Integration
 
+
* DNA/RNA databases
·      Social science
+
* Pubic facing research showcase
 
+
* Archive & preserve data
·      Drupal test portal driven by VIVO . VIVO is a simple CMS ,uses RDF and  OWL , available as VM
+
* Medical data
 
+
* podaac.jpl.nasa.gov
·      Amazon Mechanical Turk Integration
 
 
 
·      DNA/RNA databases
 
 
 
·      Pubic facing research showcase
 
 
 
·      Archive & preserve data
 
 
 
·      Medical data
 
 
 
·      podaac.jpl.nasa.gov
 
 
   
 
   
 
Session: ESIP Commons   
 
Session: ESIP Commons   
 
   
 
   
·      Notes by Erin: https://docs.google.com/a/esipfed.org/document/d/1qCBTHuKXhorEBZ7hpyKydCEnONmPGqqhnZdVdPaYYLo/edit?pli=1
+
* Notes by Erin: https://docs.google.com/a/esipfed.org/document/d/1qCBTHuKXhorEBZ7hpyKydCEnONmPGqqhnZdVdPaYYLo/edit?pli=1
 
   
 
   
 
 
Session: Drupal Security for Coders - How to Avoid "All Your Base Are Belong To Us"
 
Session: Drupal Security for Coders - How to Avoid "All Your Base Are Belong To Us"
 
   
 
   
·      Why care?
+
* Why care?
 
+
* Security is business
·      Security is business
+
* Affects your good name
 
+
* Your site is useful for bad guys no matter if it is big or small
·      Affects your good name
+
* Keep up to date
 
+
* Subscribe to security advisory emails
·      Your site is useful for bad guys no matter if it is big or small
+
* Have a consistent method for updating your site
 
+
* Checklist:
·      Keep up to date
+
* Other than admin do not let anyone use Full HTML or PHP filter
 
+
* Most vulnerabilities are in custom theme and templates
·      Subscribe to security advisory emails
+
* Use Drupal DB APIs
 
+
* Use Drupal Form API
·      Have a consistent method for updating your site
+
* In doubt? Use check_plain()
 
+
* For URL: check_url()
·      Checklist:
+
* For plain text: check_plain()
 
+
* For Rich text: check_markup()
·      Other than admin do not let anyone use Full HTML or PHP filter
+
* For HTML: filter_xss()
 
+
* XSS is major vulnerability, SQL injection is another
·      Most vulnerabilities are in custom theme and templates
+
* Failure to escape user input or output
 
+
* You can do almost anything
·      Use Drupal DB APIs
+
* http://drupalsecurityreport.org/
 
+
* In DB APIs, use place holder
·      Use Drupal Form API
+
* XSS can happen via IMG tags
 
+
* Can run JS on 3rd party site
·      In doubt? Use check_plain()
+
* Both GET and POST are vulnerable
 
+
* Form tokens or URL tokens tied to your session protect your
·      For URL: check_url()
+
* When not using form API, use drupal_get_token() and drupal_valid_token(). See Flag module for example
 
+
* Dev/Themer Harmony
·      For plain text: check_plain()
+
* User preprocess functions to provide safe variables for use in theme template
 
+
* In Drupal 7 may need to be used with render()
·      For Rich text: check_markup()
+
* JS can do XSS better than humans
 
+
* Just loading a malicious third party site can hack your Drupal account
·      For HTML: filter_xss()
+
* CSRF:
 
+
** Use form token when there is a link to click
·      XSS is major vulnerability, SQL injection is another
+
** Own caching can have problem: Need per use cache
 
+
** Do not use password based SSH (use key based SSH)
·      Failure to escape user input or output
+
* Drupal 7: $query->addTag(‘node_access’);
 
+
* Drupal Modules:
·      You can do almost anything
+
** security_review
 
+
* Coder
·      http://drupalsecurityreport.org/
 
 
 
·      In DB APIs, use place holder
 
 
 
·      XSS can happen via IMG tags
 
 
 
·      Can run JS on 3rd party site
 
 
 
·      Both GET and POST are vulnerable
 
 
 
·      Form tokens or URL tokens tied to your session protect your
 
 
 
·      When not using form API, use drupal_get_token() and drupal_valid_token(). See Flag module for example
 
 
 
·      Dev/Themer Harmony
 
 
 
·      User preprocess functions to provide safe variables for use in theme template
 
 
 
·      In Drupal 7 may need to be used with render()
 
 
 
·      JS can do XSS better than humans
 
 
 
·      Just loading a malicious third party site can hack your Drupal account
 
 
 
·      CSRF:
 
 
 
·      Use form token when there is a link to click
 
 
 
·      Own caching can have problem: Need per use cache
 
 
 
·      Do not use password based SSH (use key based SSH)
 
 
 
·      Drupal 7: $query->addTag(‘node_access’);
 
 
 
·      Drupal Modules:
 
 
 
·      security_review
 
 
 
·      Coder
 
 
 
 
   
 
   
 
Session: Fast flexible architecture
 
Session: Fast flexible architecture
  
  
·      Engineering axes
+
* Engineering axes
 +
* Fast to run
 +
* Low memory
 +
* Scalability
 +
* Modifiability
 +
* Extensibility
 +
* Human axes:
 +
** Usability /UX for end users
 +
** Understandability  for developers
 +
** Learnability for both
 +
** Maintainability
 +
* Command line is very powerful
 +
**§  Graphical is learnable, slows down interface
 +
* QA axes
 +
** Testability – ability to write test
 +
** Verifiability – code will do what is supposed to do
 +
* Who cares?
 +
** Your client
 +
** Your boss
 +
** You in 6 months (to fix performance & scalability)
 +
* To what extent do I care about mobile:
 +
** Responsive design limits
 +
** Target Audience
 +
** Look at traffic logs, browser stats
 +
** Responsive design is not always needed
 +
** Hand coding is ok for site –specific
 +
** Node reference in Drupal 5 loads all node: very bad
 +
** Overridable by any module or by any specific site
 +
* Do I care if operation is fast?
 +
** Modifiability vs. performance
 +
** Expediency vs. Modifiability
 +
** Extensibility vs. Testability
 +
** Extensibility vs. Understability
 +
** Verifiability vs. Expediency
 +
* Can’t prove PHP code is correct mathematically ( do not use for nuclear reactor)
 +
* Your job is to balance -> what is worth my time -> write most appropriate code
 +
* Drupal assumes everything a page -> symphony solves this problem -> serves only parts -> symphony already implemented what Drupal 8 wanted
 +
* Put varnish & memcache at least ( Acquia cloud & Pantheon uses it)
  
·      Fast to run
 
 
·      Low memory
 
 
·      Scalability
 
 
·      Modifiability
 
 
·      Extensibility
 
 
·      Human axes:
 
 
·      Usability /UX for end users
 
 
·      Understandability  for developers
 
 
·      Learnability for both
 
 
·      Maintainability
 
 
·      Command line is very powerful
 
 
§  Graphical is learnable, slows down interface
 
·      QA axes
 
 
§  Testability – ability to write test
 
 
§  Verifiability – code will do what is supposed to do
 
 
·      Who cares?
 
 
·      Your client
 
 
·      Your boss
 
 
·      You in 6 months (to fix performance & scalability)
 
 
·      To what extent do I care about mobile:
 
 
·      Responsive design limits
 
 
·      Target Audience
 
 
·      Look at traffic logs, browser stats
 
 
·      Responsive design is not always needed
 
 
·      Hand coding is ok for site –specific
 
 
·      Node reference in Drupal 5 loads all node: very bad
 
 
·      Overridable by any module or by any specific site
 
 
·      Do I care if operation is fast?
 
 
·      Modifiability vs. performance
 
 
·      Expediency vs. Modifiability
 
 
·      Extensibility vs. Testability
 
 
·      Extensibility vs. Understability
 
 
·      Verifiability vs. Expediency
 
 
·      Can’t prove PHP code is correct mathematically ( do not use for nuclear reactor)
 
 
·      Your job is to balance -> what is worth my time -> write most appropriate code
 
 
·      Drupal assumes everything a page -> symphony solves this problem -> serves only parts -> symphony already implemented what Drupal 8 wanted
 
·      Put varnish & memcache at least ( Acquia cloud & Pantheon uses it)
 
 
 
 
 
Session: Symfony
 
Session: Symfony
 
+
* ‘Drupal way’ is not used in other PHP community
‘Drupal way’ is not used in other PHP community
+
Drupal is barriers to entry for developer
 
+
Refactor towards a ‘framework’ core
Drupal is barriers to entry for developer
+
Drupal needs more standardized framework
 
+
Synfony 2 is MIT licensed , on github
Refactor towards a ‘framework’ core
+
Synfony 2 is a reusable set of standalone cohesive PHP components that solve common web development problems
 
+
An object oriented set of classes
Drupal needs more standardized framework
+
Compatible with PHP 5.3 & later
 
+
A full stack web framework
Synfony 2 is MIT licensed , on github
+
http://tools.ietf.org/html/rfc2616 must read for PHP developer
 
+
http://en.wikipedia.org/wiki/Edge_Side_Includes
Synfony 2 is a reusable set of standalone cohesive PHP components that solve common web development problems
 
 
 
An object oriented set of classes
 
 
 
Compatible with PHP 5.3 & later
 
 
 
A full stack web framework
 
 
 
http://tools.ietf.org/html/rfc2616 must read for PHP developer
 
 
 
http://en.wikipedia.org/wiki/Edge_Side_Includes
 
 
 
 
  
 
Session: Views for developer
 
Session: Views for developer
+
* Views Modules
·      Views Modules
+
* Views slideshow module
 
+
* Views bulk operation
·      Views slideshow module
+
* Semantic view module
 
+
* Views link area module
·      Views bulk operation
+
* Display suite module
 
+
* Fences module
·      Semantic view module
+
* Result /page summaries
 
+
* Views documentation http://api.drupal.org/api/views/groups
·      Views link area module
+
* Webform views integration https://github.com/derhasi/webform/tree/master/views , https://github.com/derhasi/webform/blob/master/views/webform.views.inc
 
 
·      Display suite module
 
 
 
·      Fences module
 
 
 
·      Result /page summaries
 
 
 
·      Views documentation http://api.drupal.org/api/views/groups
 
 
 
·      Webform views integration https://github.com/derhasi/webform/tree/master/views , https://github.com/derhasi/webform/blob/master/views/webform.views.inc
 
 
 
 
   
 
   
 
Session: Drush 5
 
Session: Drush 5
 
+
* New features
·      New features
+
* Shell –alias
 
+
* Windows compatible installer sponsored by Microsoft
·      Shell –alias
+
* Drush make in Drush core
 
+
* Drush Autocomplete
·      Windows compatible installer sponsored by Microsoft
+
* Built in server
 
+
* Drush quickdrupal command
·      Drush make in Drush core
+
* Drush runner for Queue api
 
+
* Drush support for multi site setup
·      Drush Autocomplete
+
* Drush site-set command
 
 
·      Built in server
 
 
 
·      Drush quickdrupal command
 
 
 
·      Drush runner for Queue api
 
 
 
·      Drush support for multi site setup
 
 
 
·      Drush site-set command
 
 
  
 
Session: Delivering Drupal
 
Session: Delivering Drupal
 
+
* Everybody needs to use Jenkins:  http://jenkins-ci.org/ & http://jenkins-php.org/
Everybody needs to use Jenkins:  http://jenkins-ci.org/ & http://jenkins-php.org/
+
*Use PHP build systems : http://www.phing.info/trac/, https://github.com/indeyets/pake/wiki , https://github.com/mlively/Phake/wiki
 
+
*Try http://drupal.org/project/stage_file_proxy, http://drupal.org/project/deploy
Use PHP build systems : http://www.phing.info/trac/, https://github.com/indeyets/pake/wiki , https://github.com/mlively/Phake/wiki
+
*For code deploy http://drupal.org/project/drush_deploy
 
+
*Use PHPUnit, selenium etc
Try http://drupal.org/project/stage_file_proxy, http://drupal.org/project/deploy
+
*Ruby:https://github.com/jnicklas/capybara
 
+
*http://cukes.info/
For code deploy http://drupal.org/project/drush_deploy
+
*PHP : http://behat.org/
 
+
* Vagrant: http://vagrantup.com/, http://drupal.org/project/vagrant
Use PHPUnit, selenium etc
 
 
 
Ruby:https://github.com/jnicklas/capybara
 
 
 
http://cukes.info/
 
 
 
PHP : http://behat.org/
 
 
 
Vagrant: http://vagrantup.com/, http://drupal.org/project/vagrant
 

Revision as of 00:03, October 4, 2021

DrupalCON Denver 2012 – Notes by Ajinkya Kulkarni


Keynote (3/20) by Dries Buytaert : Winning the hearts and minds through innovation

  • Drupal 7 grew 2.5 times faster than Drupal 6 (counted against first 10,000 installations)
  • Drupal weaknesses:
  • Rudimentary authoring experience
  • Aging web development framework
  • Small Drupal talent pool
  • Not mobile friendly
  • Opportunities for Drupal:
  • 1.5 million Drupal sites
  • 6.7% of all CMS sites use Drupal
  • 30% of all sites are CMS
  • 25x growth over next 5 year
  • Drupal 8 : Embraces Symfony 2, Restful web services, HTML5 responsive design
  • Symfony 2: Set of reusable PHP component, robust, well tested, healthy welcoming community

Keynote (3/21) by Mitchell Baker : Collaborative Development, the "Maker" Ethic and Internet Freedom

Keynote (3/22) by Luke Wroblewski : Mobile First

  • Web products should be designed for mobile first
  • Designing the mobile app first forces us to strip down to essentials
  • 371K babies born per day , 1.5 million mobile devices activated per day
  • 6 billion mobile connections, 12 billion in 2020
  • $131 M PayPal mobile payments processed in 2009, $4B in 2011
  • Twitter 55% mobile users
  • Pandora 70% mobile users
  • Yelp 85% searches on mobile
  • Facebook 50% mobile web traffic
  • Reduce request and file size
  • Take advantage of HTML5
  • Design for speed: adaptive pre-loading

Session: Tame the Burrito: Understanding the Five Layers of Drupal

  • Caching problem: Each module tries to implement its own caching mechanism
  • Drupal: 5 layer stack
  1. Web framework (e.g. HTTP Request, Response caching, Database access )
  2. Building Blocks (e.g. Nodes, Fields, Views, Regions, Blocks)
  3. Building Tools (e.g. Field UI, Views UI, Features, Drush, Admin structure)
  4. Distinct Features (e.g. My Dashboard, Photo Gallery, Newsletter, Surveys, Wikis)
  5. Products (e.g. Drupal Garden, OpenPublic, The Grammies)
  • Separate form validation logic from Drupal form validation API so that Drush, SimpleTest or installation profile can use it

Session: Native Mobile Application Development on Drupal

  • Why not native?
  1. Titanium supports multiple devices
  2. Rapid Prototyping
  • Why Native?
  1. Faster Performance
  2. Manage errors on side of stack
  3. No waiting on API update
  • Development process
  1. Get idea on paper
  2. Wireframe ( Use tools: Briefs or Omnigraffle)
  3. Design
  4. Development

Session: Science on Drupal

  • Drupal uses in science
  • Libraries
  • OpenScholar
  • Social science
  • Drupal test portal driven by VIVO . VIVO is a simple CMS ,uses RDF and OWL , available as VM
  • Amazon Mechanical Turk Integration
  • DNA/RNA databases
  • Pubic facing research showcase
  • Archive & preserve data
  • Medical data
  • podaac.jpl.nasa.gov

Session: ESIP Commons

Session: Drupal Security for Coders - How to Avoid "All Your Base Are Belong To Us"

  • Why care?
  • Security is business
  • Affects your good name
  • Your site is useful for bad guys no matter if it is big or small
  • Keep up to date
  • Subscribe to security advisory emails
  • Have a consistent method for updating your site
  • Checklist:
  • Other than admin do not let anyone use Full HTML or PHP filter
  • Most vulnerabilities are in custom theme and templates
  • Use Drupal DB APIs
  • Use Drupal Form API
  • In doubt? Use check_plain()
  • For URL: check_url()
  • For plain text: check_plain()
  • For Rich text: check_markup()
  • For HTML: filter_xss()
  • XSS is major vulnerability, SQL injection is another
  • Failure to escape user input or output
  • You can do almost anything
  • http://drupalsecurityreport.org/
  • In DB APIs, use place holder
  • XSS can happen via IMG tags
  • Can run JS on 3rd party site
  • Both GET and POST are vulnerable
  • Form tokens or URL tokens tied to your session protect your
  • When not using form API, use drupal_get_token() and drupal_valid_token(). See Flag module for example
  • Dev/Themer Harmony
  • User preprocess functions to provide safe variables for use in theme template
  • In Drupal 7 may need to be used with render()
  • JS can do XSS better than humans
  • Just loading a malicious third party site can hack your Drupal account
  • CSRF:
    • Use form token when there is a link to click
    • Own caching can have problem: Need per use cache
    • Do not use password based SSH (use key based SSH)
  • Drupal 7: $query->addTag(‘node_access’);
  • Drupal Modules:
    • security_review
  • Coder

Session: Fast flexible architecture


  • Engineering axes
  • Fast to run
  • Low memory
  • Scalability
  • Modifiability
  • Extensibility
  • Human axes:
    • Usability /UX for end users
    • Understandability for developers
    • Learnability for both
    • Maintainability
  • Command line is very powerful
    • § Graphical is learnable, slows down interface
  • QA axes
    • Testability – ability to write test
    • Verifiability – code will do what is supposed to do
  • Who cares?
    • Your client
    • Your boss
    • You in 6 months (to fix performance & scalability)
  • To what extent do I care about mobile:
    • Responsive design limits
    • Target Audience
    • Look at traffic logs, browser stats
    • Responsive design is not always needed
    • Hand coding is ok for site –specific
    • Node reference in Drupal 5 loads all node: very bad
    • Overridable by any module or by any specific site
  • Do I care if operation is fast?
    • Modifiability vs. performance
    • Expediency vs. Modifiability
    • Extensibility vs. Testability
    • Extensibility vs. Understability
    • Verifiability vs. Expediency
  • Can’t prove PHP code is correct mathematically ( do not use for nuclear reactor)
  • Your job is to balance -> what is worth my time -> write most appropriate code
  • Drupal assumes everything a page -> symphony solves this problem -> serves only parts -> symphony already implemented what Drupal 8 wanted
  • Put varnish & memcache at least ( Acquia cloud & Pantheon uses it)

Session: Symfony

  • ‘Drupal way’ is not used in other PHP community
  • Drupal is barriers to entry for developer
  • Refactor towards a ‘framework’ core
  • Drupal needs more standardized framework
  • Synfony 2 is MIT licensed , on github
  • Synfony 2 is a reusable set of standalone cohesive PHP components that solve common web development problems
  • An object oriented set of classes
  • Compatible with PHP 5.3 & later
  • A full stack web framework
  • http://tools.ietf.org/html/rfc2616 must read for PHP developer
  • http://en.wikipedia.org/wiki/Edge_Side_Includes

Session: Views for developer

Session: Drush 5

  • New features
  • Shell –alias
  • Windows compatible installer sponsored by Microsoft
  • Drush make in Drush core
  • Drush Autocomplete
  • Built in server
  • Drush quickdrupal command
  • Drush runner for Queue api
  • Drush support for multi site setup
  • Drush site-set command

Session: Delivering Drupal